Vmotion the guest OSes and shut it down... Shook
From: Raper, Jonathan - Eagle [mailto:jra...@eaglemds.com] Sent: Thursday, September 16, 2010 11:49 AM To: NT System Admin Issues Subject: RE: security concern - ESX host repeatedly hitting external IP... I found that same info, but can't ANYONE join pool.ntp.org if they have a server with a static public IP? http://www.pool.ntp.org/en/join.html I know which host it is coming from, and we're running ESX 3.5. I'll double check the guest OSes just for kicks, but wouldn't the packet be coming from the guest OS IP Address, and not the ESX host itself? How would I interrogate the ESX host? Jonathan L. Raper, A+, MCSA, MCSE Technology Coordinator Eagle Physicians & Associates, PA jra...@eaglemds.com<BLOCKED::mailto:%20jra...@eaglemds.com> www.eaglemds.com<BLOCKED::http://www.eaglemds.com/> ________________________________ From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, September 16, 2010 11:44 AM To: NT System Admin Issues Subject: RE: security concern - ESX host repeatedly hitting external IP... > 72.18.205.156 Name: mail.freerip.com Address: 72.18.205.156 That isnt pool.NTP.ORG block, which is commonly utilized in ESX environments to provide synced time to the ESX hosts and therefore its underlying ESX guests. You might need to see which ESX host its coming from and interrogate the ESX guests to see who might be possibly behaving badly. http://whois.domaintools.com/72.18.205.156 IP Information for 72.18.205.156 IP Location: [cid:image001.gif@01CB5595.B8A72180]United States Warminster Jim Garvey Resolve Host: mail.freerip.com<http://whois.domaintools.com/freerip.com> IP Address: 72.18.205.156 [cid:image002.gif@01CB5595.B8A72180] <http://whois.domaintools.com/72.18.205.156> [cid:image003.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-ip/?hostname=72.18.205.156> [cid:image004.gif@01CB5595.B8A72180] <http://dns-tools.domaintools.com/ip-tools/?method=ping&query=72.18.205.156> [cid:image005.gif@01CB5595.B8A72180] <http://dns-tools.domaintools.com/ip-tools/?method=dns&query=72.18.205.156> [cid:image006.gif@01CB5595.B8A72180] <http://dns-tools.domaintools.com/ip-tools/?method=traceroute&query=72.18.205.156> Reverse IP: 3 websites<http://www.domaintools.com/reverse-ip/?hostname=72.18.205.156> use this address. (examples: freerip.com<http://whois.domaintools.com/freerip.com> mauriziogiunti.it<http://whois.domaintools.com/mauriziogiunti.it> mgshareware.com<http://whois.domaintools.com/mgshareware.com>) NetRange: 72.18.205.0 - 72.18.205.255 CIDR: 72.18.205.0/24 OriginAS: NetName: CONTINENTALTRANSIT-APLUSHOSTING-LAS01 NetHandle: NET-72-18-205-0-1 Parent: NET-72-18-192-0-1 NetType: Reassigned Comment: Hosted by APlusHosting.com RegDate: 2005-10-12 Updated: 2005-10-12 Ref: http://whois.arin.net/rest/net/NET-72-18-205-0-1 CustName: Jim Garvey Address: 868 W. Street City: Warminster StateProv: PA PostalCode: 18974 Country: US RegDate: 2005-10-12 Updated: 2005-10-12 Ref: http://whois.arin.net/rest/customer/C01196342 OrgAbuseHandle: PNA11-ARIN OrgAbuseName: PremiaNet Network Abuse OrgAbusePhone: +1-702-442-1962 OrgAbuseEmail: [cid:image007.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-whois/?email=6443f45527f210f02e6810accedc9b7a> OrgAbuseRef: http://whois.arin.net/rest/poc/PNA11-ARIN OrgTechHandle: PTSD-ARIN OrgTechName: PremiaNet Technical Support Division OrgTechPhone: +1-800-234-1655 OrgTechEmail: [cid:image008.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-whois/?email=21149e55c03f323ee8c08886a1ec42d0> OrgTechRef: http://whois.arin.net/rest/poc/PTSD-ARIN OrgNOCHandle: PNA12-ARIN OrgNOCName: PremiaNet Network Administration OrgNOCPhone: +1-800-234-1655 OrgNOCEmail: [cid:image007.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-whois/?email=6443f45527f210f02e6810accedc9b7a> OrgNOCRef: http://whois.arin.net/rest/poc/PNA12-ARIN RAbuseHandle: PNA11-ARIN RAbuseName: PremiaNet Network Abuse RAbusePhone: +1-702-442-1962 RAbuseEmail: [cid:image007.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-whois/?email=6443f45527f210f02e6810accedc9b7a> RAbuseRef: http://whois.arin.net/rest/poc/PNA11-ARIN RNOCHandle: PNA12-ARIN RNOCName: PremiaNet Network Administration RNOCPhone: +1-800-234-1655 RNOCEmail: [cid:image007.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-whois/?email=6443f45527f210f02e6810accedc9b7a> RNOCRef: http://whois.arin.net/rest/poc/PNA12-ARIN RTechHandle: PTSD-ARIN RTechName: PremiaNet Technical Support Division RTechPhone: +1-800-234-1655 RTechEmail: [cid:image008.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-whois/?email=21149e55c03f323ee8c08886a1ec42d0> RTechRef: http://whois.arin.net/rest/poc/PTSD-ARIN NetRange: 72.18.192.0 - 72.18.207.255 CIDR: 72.18.192.0/20 OriginAS: AS26277 NetName: PREMIANET NetHandle: NET-72-18-192-0-1 Parent: NET-72-0-0-0-0 NetType: Direct Allocation NameServer: DNS2.LASVEGAS-NV-DATACENTER.COM NameServer: DNS1.LASVEGAS-NV-DATACENTER.COM RegDate: 2004-11-30 Updated: 2010-03-12 Ref: http://whois.arin.net/rest/net/NET-72-18-192-0-1 OrgName: Las Vegas NV Datacenter OrgId: AHOSTI Address: 237 Carson City: Las Vegas StateProv: NV PostalCode: 89101 Country: US RegDate: 2002-06-25 Updated: 2010-03-25 Ref: http://whois.arin.net/rest/org/AHOSTI OrgAbuseHandle: PNA11-ARIN OrgAbuseName: PremiaNet Network Abuse OrgAbusePhone: +1-702-442-1962 OrgAbuseEmail: [cid:image007.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-whois/?email=6443f45527f210f02e6810accedc9b7a> OrgAbuseRef: http://whois.arin.net/rest/poc/PNA11-ARIN OrgTechHandle: PTSD-ARIN OrgTechName: PremiaNet Technical Support Division OrgTechPhone: +1-800-234-1655 OrgTechEmail: [cid:image008.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-whois/?email=21149e55c03f323ee8c08886a1ec42d0> OrgTechRef: http://whois.arin.net/rest/poc/PTSD-ARIN OrgNOCHandle: PNA12-ARIN OrgNOCName: PremiaNet Network Administration OrgNOCPhone: +1-800-234-1655 OrgNOCEmail: [cid:image007.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-whois/?email=6443f45527f210f02e6810accedc9b7a> OrgNOCRef: http://whois.arin.net/rest/poc/PNA12-ARIN RAbuseHandle: PNA11-ARIN RAbuseName: PremiaNet Network Abuse RAbusePhone: +1-702-442-1962 RAbuseEmail: [cid:image007.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-whois/?email=6443f45527f210f02e6810accedc9b7a> RAbuseRef: http://whois.arin.net/rest/poc/PNA11-ARIN RNOCHandle: PNA12-ARIN RNOCName: PremiaNet Network Administration RNOCPhone: +1-800-234-1655 RNOCEmail: [cid:image007.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-whois/?email=6443f45527f210f02e6810accedc9b7a> RNOCRef: http://whois.arin.net/rest/poc/PNA12-ARIN RTechHandle: PTSD-ARIN RTechName: PremiaNet Technical Support Division RTechPhone: +1-800-234-1655 RTechEmail: [cid:image008.gif@01CB5595.B8A72180] <http://www.domaintools.com/reverse-whois/?email=21149e55c03f323ee8c08886a1ec42d0> RTechRef: http://whois.arin.net/rest/poc/PTSD-ARIN Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Raper, Jonathan - Eagle [mailto:jra...@eaglemds.com] Sent: Thursday, September 16, 2010 11:23 AM To: NT System Admin Issues Subject: security concern - ESX host repeatedly hitting external IP... We're getting ready to decommission an old router, and almost all of the traffic to and through it (except broadcast) has stopped. I'm reviewing the syslog, and keep seeing this: 9/16/2010 8:36:50 AM [Internal Router Private IP Address] Informational SEC-6-IPACCESSLOGP 651364: 44w0d: %SEC-6-IPACCESSLOGP: list permit_any permitted udp [ESX Private IP Address](0) -> 72.18.205.156(0), 1 packet I've asked our VMware admin to look over his host configuration to make sure he isn't pointing to the old router, but he says everything is "fine." Anyone else seen this or have any ideas as to why I'm seeing this traffic? Upon Googling said IP Address, it appears that it may be part of pool.ntp.org, but I cannot confirm this. This host is located in Warminster, PA, according to some sites. Jonathan L. Raper, A+, MCSA, MCSE Technology Coordinator Eagle Physicians & Associates, PA jra...@eaglemds.com www.eaglemds.com<http://www.eaglemds.com> ________________________________ Any medical information contained in this electronic message is CONFIDENTIAL and privileged. It is unlawful for unauthorized persons to view, copy, disclose, or disseminate CONFIDENTIAL information. This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and/or entity named as recipients in the message. If you are not an intended recipient of this message, please notify the sender immediately and delete this material from your computer. Do not deliver, distribute or copy this message, and do not disclose its contents or take any action in reliance on the information that it contains. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<inline: image001.gif>>
<<inline: image002.gif>>
<<inline: image003.gif>>
<<inline: image004.gif>>
<<inline: image005.gif>>
<<inline: image006.gif>>
<<inline: image007.gif>>
<<inline: image008.gif>>